fix: enforce path boundary in built-in agent file tools and restrict YAML callback invocation#5413
Open
adilburaksen wants to merge 1 commit intogoogle:mainfrom
Conversation
…YAML callback invocation resolve_root_directory.py: - Add _validate_root_directory() to reject absolute paths and '..' in session-state-supplied root_directory (mirrors cbcb5e6 for file_artifact_service) - Enforce project root boundary in resolve_file_path() via .relative_to() for both absolute and relative input paths config_agent_utils.py: - Restrict resolve_code_reference() to only invoke callables with args when the resolved object is a class constructor (inspect.isclass()). Plain functions and built-ins (e.g. os.system) cannot be called with args from YAML config.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes two security issues in the Agent Builder Assistant's file tools and YAML agent config loading.
Fix 1 — Path boundary enforcement in
resolve_file_path()(resolve_root_directory.py)Issue:
resolve_file_path()accepted absolute paths without checking whether they were within the project root, and trustedroot_directoryfrom session state without validation. This allowed file operations outside the intended project directory.Fix:
_validate_root_directory()that rejects absolute paths, null bytes, backslashes, and..components in session-state-suppliedroot_directory(mirrors the same pattern applied in commitcbcb5e6forfile_artifact_service.py).relative_to()for both absolute and relative inputsFix 2 — Restrict callable invocation in
resolve_code_reference()(config_agent_utils.py)Issue:
resolve_code_reference()called any Python callable with attacker-supplied args from YAML config at deserialization time. This allowed specifying dangerous built-ins (e.g.os.system) as callbacks with arbitrary arguments.Fix: Only invoke a callable with
argswhen the resolved object is a class constructor (inspect.isclass()). Plain functions cannot be called with args from YAML config; they are returned as references for the framework to invoke at the appropriate time.Testing
Both fixes are verified with unit tests confirming:
root_directory: "/"injection is blockedos.systemand other non-class callables with args are blocked in YAML config